Technology

Report: Target Missed Its Chance To Prevent Data Breach

Listen to the audio:

Late last year, during the holiday season, hackers somewhere in Europe stole 40 million credit and debit card numbers and tens of millions of other pieces of personal information from Target customers in the United States. As reported by Bloomberg Businessweek's Michael Riley, the malware attack wasn't particularly sophisticated or unique, and Target's security systems were extensive and ready for such an attack — and yet Target missed the early security warnings.

After the hack was made public, Target customers filed more than 90 lawsuits against the company for negligence and compensation.

Riley, along with three colleagues, interviewed former Target employees with knowledge about the security systems, and people with knowledge of the hack itself and the aftermath. Riley spoke about the investigation with NPR's Melissa Block.

Interview Highlights

On a malware-detection system installed by Target six months before the attack

Security systems are changing and this is one of the cutting-edge, behavior-based ones. The interesting thing about it is, it was initially funded by the CIA. It essentially sets up a series of virtual computers. Anything that's coming in Target's network, in terms of data, goes through these virtual computers, which are configured exactly like Target's own computers. Essentially, what it does [is] it tricks the hackers into believing that they are in Target's networks. It also has this nice trick where it can advance the clock of a computer so when malware comes into a network it can actually see what happens to the malware over a period of days, weeks or even years, in a split second. Once that starts to happen it sends out an alert that says, "Hey, there's a piece of hacking malware in your system, you should go fix it." That part of the function worked.

On why Target delayed announcing the security breach

Whatever was going on inside Target's security team, they didn't recognize this as a serious breach. There was no serious investigation that went on. They didn't go to the server itself to figure out what the malware was doing. What they've said publicly is that they didn't know anything about the hack until the U.S. Attorney and the Secret Service knocked on their door on Dec. 12 and said, "You've got a problem." And it takes them about three days to figure out that all this malware is not just on that one server but on every single or many, many [point of sale] systems through their entire store network in the United States.

On Target's response to the Bloomberg Businessweek investigation

The response was pretty minimal. They pointed out that they're doing a complete review of the security systems that they have in place and that they are trying to figure out how to improve those systems. At this point, it's really the lawyers that have sort of taken control of what their response can or should be.

On hackers in Ukraine and Russia and why the U.S. can't go after them

It's a very boisterous, very well-oiled machine and there are literally millions and millions of credit cards sold around the world every day. They have a very good system for distributing, selling, repackaging. One of the ways that it works is once the credit cards are stolen they get posted on ... websites that really look like Amazon.com. They'll run anywhere from $8-$50, depending on the quality of the cards, things like credit limit. And then you'll pop it into an electronic basket just like Amazon and check out. ... On some level these guys have found the perfect crime. You can sit and hack a major Fortune 500 company from your couch in Ukraine.

The retail giant Target is still reeling from a massive breach of its payment systems during last year's holiday shopping season. Hackers stole 40 million credit and debit card numbers and tens of millions of other pieces of personal information - addresses, phone numbers and more. The company faces more than 90 lawsuits and has already spent tens of millions of dollars dealing with the fallout from the breach.

And now, a Bloomberg Businessweek story out today contends that Target itself could have prevented the attack. Mike Riley is co-author of that story, and he joins me here in our studios. Welcome to the program.

MIKE RILEY: Thanks very much.

BLOCK: And let's go back and explain. You found out that six months prior to the attack, Target had installed a very sophisticated malware detection system called FireEye, which actually worked exactly as it was intended to work. Tell us a bit about the system and what happened with it.

RILEY: Yeah. Security systems are changing, and this is one of the sort of cutting-edge, really, sort of behavior-based ones. The interesting thing about it, it was initially funded by the CIA. What it does is it essentially sets up a series of virtual computers. Anything that's coming in Target's network in terms of data goes through these virtual computers, which are - configure exactly like Target's own computers.

So essentially what does is it tricks the hackers into believing that they are in Target's networks. It also has this nice trick where it can advance the clock of a computer. So when malware comes into a network, it can actually see what happens to the malware over a period of days, weeks or even years in a split second. Once that starts to happen, it sends out an alert that says, hey, there's a piece of hacking malware in your system, you should go fix it.

BLOCK: And that's what happened here. This detection system did exactly that, right? Told Target something bad is going on here.

RILEY: That's right. That part of the function worked. So on November 30th - and keep in mind, this is before any of the data leaves Target's network - the alerts begin to go off. And for some reason that's not clear, Target didn't act on it in time.

LEAH BINKOVITZ, BYLINE: So these malware detection alerts are coming in November 30th, December 2nd. Target says they weren't alerted about the breach until December 12th by federal authorities. They don't tell consumers until December 19th. Why the delay?

RILEY: That's right. Well, whatever was going on inside Target's security team, they didn't recognize this as a serious breach. There was no serious investigation that went on. They didn't go to the server itself to figure out what the malware was doing. What they've said publicly is that they didn't know anything about the hack until the U.S. attorney and the Secret Service knocked on their door on December 12th and said, you've got a problem. And it takes them about three days to figure out that all this malware is not just on that one server but on every single or many, many POS systems through the entire store network in the United States.

BLOCK: You write in your story, Mike, Target stood by as 40 million credit card numbers gushed out of its mainframes. You asked them for a response to your story. What did they tell you?

RILEY: You know, the response was pretty minimal. They pointed out that they are doing a complete review of the security systems that they have in place and that they are trying to figure out how to improve those systems. At this point, it's really - the lawyers have sort of taken control of what their response can or should be.

BLOCK: It does seem that - I mean, if Target was aware of a massive breach like this, with these huge implications for them, they would have done something about it. I mean, they would have acted if they had known the seriousness of the problem.

RILEY: Yeah, no, I think that's exactly right. I don't think they knew exactly what was going on. It's one thing to sort of get an alert from a system that says you may have malware on your server. It's entirely different thing to know that 40 million credit cards are leaving your network. It's not that they sat by while they watched 40 million credit cards go out. No responsible company is going to do that. But they had all the pieces of the puzzle. If they'd simply put them together, they could have stopped this.

BLOCK: We've been focusing on the hack itself. But let's talk also about the hackers...

RILEY: Sure.

BLOCK: ...because you do a lot of reporting on who they are. Your research led to Ukraine and Russia, to cybergangs notorious for their successes in just these kinds of breaches. Who are these people and why can't the U.S. go after them?

RILEY: It's a very boisterous, very well-oiled machine. And there are literally millions and millions of credit cards that are stolen around the world every day. They have a very good system for distributing, selling, repackaging. One of the ways that it works is once the credit cards are stolen, they get posted on quarter websites. These are websites that really look like Amazon.com. They'll run anywhere from eight to $50, depending on the quality of the cards, things like the credit limit. And then you'll pop them into an electronic basket, just like Amazon, and check out.

It's a fascinating world to look in. It's just fascinating to see how efficient this is. On some level, these guys have found the perfect crime. You can sit and hack a major Fortune 500 company from your couch in Ukraine. You can steal data that has value. You can sell that value on an automated website. You can make money from it. And you're really not at much risk.